Table of Contents
Fetching ...

GraphRAG under Fire

Jiacheng Liang, Yuhui Wang, Changjiang Li, Rongyi Zhu, Tanqiu Jiang, Neil Gong, Ting Wang

TL;DR

GraphRAG under Fire evaluates the security of GraphRAG, a graph-based RAG system, revealing that while standard poisoning attacks lose effectiveness due to graph-based indexing and reasoning, new vulnerabilities emerge that allow scalable, multi-query poisoning. The authors introduce GragPoison, a text-driven attack that identifies shared graph relations and injects competing relations with reinforcing narratives, achieving high attack success rates across multiple domains with limited poisoned text. A comprehensive set of ablations demonstrates the importance of relation selection, narrative techniques, and graph scale, and extensions show applicability to targeted attacks and alternative GraphRAG variants. The work also discusses defenses, finding that paraphrasing, model knowledge referencing, CoT consistency, detection, and provenance-aware scoring provide limited protection, highlighting the need for provenance-aware retrieval and robust graph-aware defenses.

Abstract

GraphRAG advances retrieval-augmented generation (RAG) by structuring external knowledge as multi-scale knowledge graphs, enabling language models to integrate both broad context and granular details in their generation. While GraphRAG has demonstrated success across domains, its security implications remain largely unexplored. To bridge this gap, this work examines GraphRAG's vulnerability to poisoning attacks, uncovering an intriguing security paradox: existing RAG poisoning attacks are less effective under GraphRAG than conventional RAG, due to GraphRAG's graph-based indexing and retrieval; yet, the same features also create new attack surfaces. We present GragPoison, a novel attack that exploits shared relations in the underlying knowledge graph to craft poisoning text capable of compromising multiple queries simultaneously. GragPoison employs three key strategies: (i) relation injection to introduce false knowledge, (ii) relation enhancement to amplify poisoning influence, and (iii) narrative generation to embed malicious content within coherent text. Empirical evaluation across diverse datasets and models shows that GragPoison substantially outperforms existing attacks in terms of effectiveness (up to 98% success rate) and scalability (using less than 68% poisoning text) on multiple variations of GraphRAG. We also explore potential defensive measures and their limitations, identifying promising directions for future research.

GraphRAG under Fire

TL;DR

GraphRAG under Fire evaluates the security of GraphRAG, a graph-based RAG system, revealing that while standard poisoning attacks lose effectiveness due to graph-based indexing and reasoning, new vulnerabilities emerge that allow scalable, multi-query poisoning. The authors introduce GragPoison, a text-driven attack that identifies shared graph relations and injects competing relations with reinforcing narratives, achieving high attack success rates across multiple domains with limited poisoned text. A comprehensive set of ablations demonstrates the importance of relation selection, narrative techniques, and graph scale, and extensions show applicability to targeted attacks and alternative GraphRAG variants. The work also discusses defenses, finding that paraphrasing, model knowledge referencing, CoT consistency, detection, and provenance-aware scoring provide limited protection, highlighting the need for provenance-aware retrieval and robust graph-aware defenses.

Abstract

GraphRAG advances retrieval-augmented generation (RAG) by structuring external knowledge as multi-scale knowledge graphs, enabling language models to integrate both broad context and granular details in their generation. While GraphRAG has demonstrated success across domains, its security implications remain largely unexplored. To bridge this gap, this work examines GraphRAG's vulnerability to poisoning attacks, uncovering an intriguing security paradox: existing RAG poisoning attacks are less effective under GraphRAG than conventional RAG, due to GraphRAG's graph-based indexing and retrieval; yet, the same features also create new attack surfaces. We present GragPoison, a novel attack that exploits shared relations in the underlying knowledge graph to craft poisoning text capable of compromising multiple queries simultaneously. GragPoison employs three key strategies: (i) relation injection to introduce false knowledge, (ii) relation enhancement to amplify poisoning influence, and (iii) narrative generation to embed malicious content within coherent text. Empirical evaluation across diverse datasets and models shows that GragPoison substantially outperforms existing attacks in terms of effectiveness (up to 98% success rate) and scalability (using less than 68% poisoning text) on multiple variations of GraphRAG. We also explore potential defensive measures and their limitations, identifying promising directions for future research.
Paper Structure (39 sections, 4 equations, 9 figures, 13 tables, 1 algorithm)

This paper contains 39 sections, 4 equations, 9 figures, 13 tables, 1 algorithm.

Figures (9)

  • Figure 1: Poisoning attacks on GraphRAG.
  • Figure 2: Schematic illustration of GraphRAG concepts:(a) A representative subgraph dynamically constructed by GraphRAG from a text corpus, featuring explicit entities as nodes (e.g., " Stuxnet", " DLL Injection") and semantic relations as labeled edges (e.g., " Utilize", " Mitigate by"). (b) Visualization of a multi-hop query (" How to mitigate...") traversing a path through connected entities and relations within this text-derived graph. (c) Example of two related queries (" How to mitigate..." and " How to detect...") that share common underlying entities and relations within the graph structure. Crucially, GraphRAG constructs this graph by extracting text to serve as a knowledge graph for answering queries, with an LLM employed throughout the whole process.
  • Figure 3: Overview of GragPoison. GragPoison operates through three phases: (i) Relation Selection: Identifying critical shared relations from inferred query-related subgraphs using LLM's chain-of-thought reasoning. (ii) Relation Injection: Injecting deceptive competing relations ($r^*$) through semantically crafted textual descriptions ($d_r^*$), concealed within logical "covering narratives" (iii) Relation Enhancement: Strengthening injected relations by creating supporting textual narratives ($d_r^+$) to boost their centrality and retrieval priority. Unlike traditional graph poisoning attacks that assume explicit graph knowledge and directly manipulate structures or node/edge features/embeddings, GragPoison must infer relevant graph portions (i.e. Relation Selection) and then generate poisoning textual narratives targeting the source corpus (i.e. Relation Injection, Relation Enhancement).
  • Figure 4: Example of attacking two related queries. (a) A baseline ( PoisonedRAG) approach attacks each query separately with distinct misinformation. (b) GragPoison's relation injection adds poisoning text ($d_r^*$) directly into the knowledge base, injecting a competing relation ("Process Hollowing") to override the original relation ("DLL Injection"). Note that in the KG-agnostic setting, the target relation $r$ is inferred by the adversary from query, and may not match the actual relation in the underlying knowledge graph. (c) GragPoison's relation enhancement further creates supporting relations ($d_r^+$) into the knowledge base, reinforcing the presence of the injected relation $r^*$ and entity $v^*_r$ within both the retrieved relevant relations $R(x)$ and community summaries $S(x)$.
  • Figure 5: Impact of the number of poisoning text variants ($N_\alpha$).
  • ...and 4 more figures

Theorems & Definitions (8)

  • Example 1
  • Example 2
  • Example 3
  • Example 4
  • Example 5
  • Example 6
  • Example 7
  • Example 8